Microsoft Azure MFA on-premises server supports a time based OATH (OATH – TOTP) third party tokens. This is an alternative to using the Azure Authenticator Mobile App as an OATH token. You can see other MFA authentication options in my Azure MFA Server–Authentication Types (Part I) and Azure MFA Server–Authentication Types (Part II) blogs. The OATH tokens can be added or imported prior to being associated with a user. Administrators can associate users and tokens in the Multi-Factor Authentication Server or the User Portal. Users can associate themselves with an OATH token during User Portal enrollment or using the OATH Token menu option when the User Portal is configured to provide this functionality. A bulk token import and configuration is also supported by MFA Server . An administrator can import OATH Token records from an input file . The secret keys must be in Base32 format. This blog provides step-by-step instructions in configuring YubiKey OATH token with Microsoft Azure MFA server.

Requirements:

The following are the pre-requirements to complete this configuration.

Microsoft Azure MFA server supports only the OATH TOTP (time-based) tokens. So you need to make sure that your YubiKey is in Yubico OTP Mode using the YubiKey Personalization Tool. Other configurations are optional for Microsoft Azure MFA server configuration and testing.

The YubiKey Personalization Tool can be used to program the two configuration slots. Also, it can be used to personalize the YubiKey in the following modes:

Username: Select the user for this OATH token. You manually enter the username or Select User option to identify a user.

Click OK to complete. The Synchronize OATH Token dialog will prompt for the current OATH code to synchronize the OATH token and verify the configuration.

Generate a new OATH from Yubico Authentication app using the button.

Enter this code in the Synchronize OATH Token window to complete token configuration in MFA Server.

Note1: MFA server validates the OATH code against the OATH token secret key and synchronizes the OATH token's time if they are valid. If there are not valid, you will see the following error message:

Note2: Azure Multi-Factor Authentication Server supports bulk import of token records by using an input CSV file. The file must be in a supported format and may be partially or fully encrypted with a password.

Note3: you may receive the following error message when you click on Import button. There is an update/hotfix for this issue.

Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application will close immediately.

Could not load file or assembly ‘PfPskcClr, Version=0.0.0.0, Culture=neutral, PublicKey Token=null’ or one of its dependencies. A strongly-named assembly is required. (Exception from HRRESULT:0X8013100)

Azure MFA Server – End User Validation Using YubiKey OATH Token

The final step in this process is to validate the YubiKey configuration and authentication experience from an end user perspective.

To configure OATH token as the authentication type for an end user:

From Multi-Factor Authentication Server UI, Select Users icon

From right pane, open the user properties by double clicking the user object.

This will open User Properties / Edit User window as shown below. Make sure that the OATH Token is selected as the authentication type for this test user.

To validate this configuration, select out test user object and from the bottom of the window, select Test option.

User will be prompted for first /primary authentication using a user name and password. Enter the Username and Password for the user, then click Test.

Then it will prompt you for the secondary authentication. In this scenario, it the OATH Code.

To generate a new OATH code, open Yubico Authenticator App and pressing the button . The OATH code will be displayed as shown below:

Enter the current OATH code in the OATH Code in the MFA application window. Click OK.